F5 load balancer over https url - f5

I have a service exposed over 2 nodes, each node has a https url for the service.
I want to put a F5 on top of these 2 https nodes, is it possible

Yes. First create an https monitor, some request that when you get the right response back, the node is 'online'. Then create a pool with the two nodes (listing their IP and port number) and attach the monitor. Then create a virtual server or two (I normally make an http one with no pool and the built-in https redirect iRule) plus the https virtual server. give them the same IP address, allow all source addresses (the source here is what allows the F5 to select it, you can restrict IP addresses further with the firewall policy). Auto SNAT will make the f5 replicate the request to the backend server but with the src IP of the F5. If you care about the client IP address on the backend servers they will need to listen for x-forewaded-for header. You'll need to add a profile to the https virtual server to attach such a header and populate it with the clients 'real' src IP. Then attach the pool and make sure the VS firewall is open correctly. You'll also need to import the right certs and keys and create an ssl profile that matches the DNS name you want to point at this VS, and attach the ssl profile to the https vip in the client ssl section. the server ssl section is normally ssl-insecure-compatible.
for the DNS name, hopefully your 2 nodes are named something like web1 and web2.example.com. so the DNS name for the vip should be web.example.com and the SSL Cert required would be for web.example.com or *.example.com if you're feeling frisky lol.

Related

https traffic to specific ip addresses using elb

I have created a failover environment with route 53 and two elbs. Every elb have to attach multiple app servers. If allow https traffic to open everyone the application accessible but when i restrict the https traffic to specific ip address range the application is not accessible even those ip addresses who have permission.
I assume when you say you allow http traffic from specific IP addresses ,you are doing it at the security group level.If yes then make sure you modify the security groups of the Load balancers and not the backend instances.The backend instances will receive http traffic from the load balancer IPs (which would be your ELB subnets cidr block or if not being too restrictive you can allow http traffic from the vpc cidr range.
Additionally ensure that the load balancers and the backend instances have different security groups.
ELB SG > HTTP:80 ,SOURCE
BACKEND SG -> HTTP:80 ,SOURCE ELB SUBNET/VPC CIDR BLOCK
The would be simple changes if you are using ssl termination but the logic remains the same.
If you are not using security groups but something else then we would have to check your specific configuration.

Can navigate to website from external network but can't from internal

So here is my issue, I have a website hosted from a virtual machine on my server and am using a dyndns service to point a url to my IP. My ISP recently set up a new modem which unfortunately has its own built in gateway and router. After fighting it to forward port 80 I tested it by trying to navigate to the site via the URL and it didn't work, then I tested it on my phone connected to cell data network and it worked! I am able to visit the site via the URL as long as I am not connected to my network. i find this very weird and cannot figure out why.
I am able to view the site on my network by typing in the local IP of the server.
Any suggestions why this might be occurring?
Yes, this is a pain. Usually your modem won't route traffic from inside that's destined for its public IP address.
When you come from outside, the traffic hits the modem from the external line, and the port forwarding rules get applied, and the traffic reaches your web server. But those port forwarding rules don't get applied to internal traffic. You're trying to browse the web server on the modem, rather than on your server.
I did once find a modem that allowed forwarding of internal traffic, but that was a long time ago, and I haven't see one like it since. What I do these days is to use the internal address when I'm on the internal network, and the external address when I'm not. For things that get scripted, I have a little function that determines whether I'm on my local network or not, and programmatically chooses the right way to address the server.
This is because your router does not support hairpinning (or does not have it set up).
From Cisco Support Community:-
The term hairpinning comes from the fact that the traffic comes from one source into a router or similar devices, makes a U-turn and goes back the same way it came.
Visualize this and you see something that looks like a hairpin.
Hairpin NAT is a useful technique for accessing an internal server using a public IP. Since you are using a public IP to attempt to access a server in your network, the traffic will attempt to go out to the internet. In order to reach the server, the traffic will need to be redirected to the correct location.
The problem is how you are doing your internal routing DNS.
You can do DNS Lookup and trace route to see where the Website name is not resolving and whether if you ping the domain e.g. ping something.com return the public IP.
I resolved ours by doing policy routing on website FQDN to go through a different WAN. It's working fine. This works for those with different WAN terminating at the site.
The other way is redo the DNS configuration in internal network.

How is it called when you use "mail" in "mail.google.com" for example?

I know it is probably a dumb question, but I don't know how to refer to it.
How is it called when we use the subdirectory comming first in the URL and how is it configured? Is it something configured on the server?
It's called subdomain and it's configured as a DNS entry and Web server listens requests to the whole subdomain.
Some domain registrars have DNS host record configuration, where you set up - for example - mail.youdomain.com for a given IP address. Finally, domain registrar's DNS server points to the configured IP address, and Web server receives a request with that IP address and the mail.youdomain.com host name to identify which Web site should be served to the client (f.e. a Web browser).
Configuration may depend on the Web server technology (i.e. Apache, IIS, ...).

Why IP is not pointing to Joomla main page

Given the following URL: htttp://domain/index.php, where index.php is the main webpage in a joomla server. I want to get the URL with the IP format, http://IP/index.php. I've tried that with several Joomla servers without success. What is it happening?
I will try to keep this answer simple, yet understandable.
The relation between Internet domains and IP address is not necessarily one-to-one.
In shared hosting, a single IP address may be used by several domains (or hostnames).
A Host header, which is a part of the HTTP standard, is sent with the HTTP request. This allows the server to determine which site to serve.
When you are trying to access a domain for which you don't know the IP, DNS lookup is performed, which provides the requested IP address.
A HTTP request is then sent to that IP with a Host header with the hostname (which contains the domain name).
If you are trying to access the ip directly, for example by typing in a web browser's address bar, the value of the Host header will be the IP itself and the server will have no indication what domain you actually want.
It is possible to set up a default behavior for cases where the IP address is directly accessed, but it is highly likely that a shared host will not allow you to set it yourself.

How to make users have domain name point to their profiles in my site

I want to implement something like Tumblr or Wordpress by giving user the option to have their domain name point to their profiles. For instances user go to their domain registrar and the IP of my server so then: www.usersdomain.com will point to www.mysite.com/userid without actually forwarding so that domain name will still show in the address bar.
I wish you can describe the details for steps of doing so.
I'm using Ruby on Rails if that's make a difference. My production environment has Nginx and Passenger.
My point of view:
Users change DNS records of their sites to point to the IP address of your server. After that operation, every HTTP request to their domains will be "catched" by your IP address and your application (you should reconfigure your HTTP server, however).
Every HTTP request contains the Host header. That header allows us to make such thing as virtual hosting: many and many hosts can point to only one IP;
In your application just extract Host from the request and query your database for user with such host.
Flush contents of his page and that's all.
For example, IP of your service is 100.100.100.100, my domain is redsocks.com. I need to change DNS (an A record) of my domain to point to your IP. Supposedly, I did.
When I point my browser to my domain, the browser makes the following request (or similar) to your own IP, not mine:
GET / HTTP/1.1
Host: redsocks.com
...
Your application has the code (pseudocode) that deals with my request:
user = User.find_by_domain(REQUEST["Host"])
if user == nil
render_not_found_page
else
contents = Content.get_contents_of_user(user)
render_contents_of_user contents
end
And I see my very own page within your service on my domain.

Resources